Articles

By: (GCIH, GPEN, GWAPT)

Publication: The Colorado Banker , September/October 2017

Colorado Banker Sept/Oct 2017It seems that every week a news story appears detailing new hacking activity originating from organized groups with interesting names such as Energetic Bear, Rocket Kitten, Crouching Yeti, Night Dragon and Sad Panda. While these names are colorful, the groups they are associated with are deadly serious. One might think that these groups are interested only in government or military secrets. However, businesses from all sectors are subject to attack. Successful compromises have been detected in areas such as power and water utilities, communications, and in business holding personal identifying information. The motivations behind these attack groups are tied to political, commercial, and security needs. When considering this, it becomes obvious that all businesses and many individuals have information that would be valuable to the groups. Making the problem more complex, many organizations do not realize they are compromised until they are notified by an external source, usually law enforcement.

Read Full Article

 

By: (ISACA Cybersecurity Fundamentals, CompTIA A+, Security+)

Publication: {"value":"The Kansas Banker"} , September 2017

Kansas Banker 2017You're standing on the edge and everyone is cheering you on! The waters look deep, blue and promising, far below. As you look around, everyone else seems to be taking the plunge, smart devices gripped tight, right into "Bring Your Own Device."

A step closer to the edge. A faint glint on the water. Is that a fin? Just a dolphin playing in the sun, you decide. You exhale, take a deep breath and then…

"Wait!" a friendly voice cries out as a figure runs frantically in your direction. It’s your auditor!

Read Full Article

 

By: (Network+, CISA)

Publication: Nebraska Banker , June/August 2017

Nebraska Banker July/August 2017There was a time, seemingly not so long ago, where business cell phones had clunky keyboards, terrible screens, and limited every-day functionality outside of making calls and checking emails. The introduction of the iPhone in 2007 changed all of that, combining not only the abilities listed above but also a music player to drown out the cubicle noise in the office, simple games to keep a person distracted from actual productivity, and a decent digital camera which enabled users to fill their storage with photos of their food, children, grandchildren, and pets. While these new features were great for the average consumer and led to an increased adoption of smart phones, they created an additional headache for businesses with regard to balancing device security and user data on small, easily lost, and often personally-owned devices. Users began wanting access to their business email on these smart phones yet still have control over the devices themselves. This issue persists to this day, on phones as well as tablets, and it is imperative that controls are in place to ensure company data is kept safe.

Read Full Article

 

By: (CISSP, CISA, Security+)

Publication: The Kansas Banker , July 2017

Kansas Banker July 201In the past, the Board has always been expected to make strategic decisions, choosing what was best for the overall success of their institution.  For most institutions, these decisions were made with little information or regard to cybersecurity.   As threats to our information security evolve, so do examiner expectations for the Board of Directors. 

With the release of the FFIEC’s Cybersecurity Assessment Tool in 2015, we saw specific examiner suggestions for improving Board oversight of an institution’s cybersecurity program and posture in their Overview for Chief Executive Officers and Board of Directors. The picture painted throughout all the suggestions provided is that of a Board who understands cyber risks and makes risk-based decisions.  That picture may or may not be an overwhelming shift for your institution, but I think for the vast majority of us, there is room for growth in this area.  For institutions with a large gap their current Board oversight of cybersecurity versus where they need to be, here are a few things to start with:

Read Full Article

 

By:

Publication: The Community Banker , Summer 2017

 

The Community Banker Summer 2017A specific type of malware named WannaCry made international headlines in May after achieving an unprecedented infection rate. Using EternalBlue, a recently leaked tool from the US Intelligence community, it installed malicious software that encrypted files then required victims to pay a ransom to restore them. The timing of this tool’s release and subsequent use in such a widespread event has taught – and retaught - network administrators around the globe to revisit the basic lessons of security.

Patching is still king.

Read Full Article

 

By: (Security+)

Publication: The Kansas Banker , June 2017

The Kansas Banker June 2017When you consider your bank’s security awareness training, what comes to mind? Maybe you think of an hour-long lecture you present (or attend) on an annual basis. Maybe you think of an online program you watched or a lengthy document you read. Whatever may come to mind, it is important to ask the question: How effective is this training?

TD Ameritrade Institutional and the Financial Planning Association Research and Practice Institute published a study in September 2016 describing how advisory firms manage cybersecurity awareness training. The results were not far from what I have come to know from time I have spent with banks. The study showed the vast majority (88%) of respondent firms said they spend two hours or less annually in on-going cybersecurity awareness training. Fifty percent of the same group said they conduct this training semi-annually or annually.

Read Full Article

 

By: (GCIH, GPEN, GWAPT)

Publication: Nebraska Banker , March/April 2017

Nebraska Banker March/April 2017

Intrusion Detection Systems (IDS) have been around for over thirty years, dating back to the Intrusion Detection Expert System (IDES) in the mid 1980’s. Intrusion detection technology continued to evolve with the introduction of Host-based, Network-based and Network behavior analysis systems. Additionally, systems capable of blocking malicious traffic, Intrusion Prevention Systems (IPS), originated from IDS.

 

Intrusion Detection and Prevention Systems (IDPS) traditionally have been hosted on systems dedicated to the task of detecting and responding to malicious network traffic. Over the last several years, security appliances that fill multiple roles such as firewall, VPN, Internet filtering, antivirus, and IDPS have been placed on the market by multiple vendors. These devices, also known by the name Unified Threat Management (UTM), may not always provide true IDPS services since the device may not have adequate system resources or may require additional licenses or hardware modules. This can leave a device owner believing they are protected by and IDPS, when in fact they are not.

Read Full Article

 

By: (Network+, CISA)

Publication: The Community Banker , Spring 2017

 

Community Banker Spring 2017In 1982, a Coke machine at Carnegie Mellon University was modified to connect to the Internet and report inventory and temperature status. In 1985, the first alleged use of the term “Internet of Things” was by Peter T. Lewis before a technical panel organized by the FCC and U.S. Department of Commerce Minority Enterprise Telecommunications Seminars. It is only in recent years, however, that the Internet of Things, or IoT for short, has really taken off and influenced our daily lives.

Read Full Article

 

By: (Security+)

Publication: The Kansas Banker , March 2017

 

Kansas Banker March 2017Assessing risk is all about extrapolating meaning from potential. In other words, look at what could happen and consider how those things would affect you. The process can be as complicated or as simple as you choose to make it. At the end of the day, risk assessments are a way to become aware of potential issues and of controls to alleviate those dangers. You do not have to think of every potential scenario. In fact, considering what is common covers the majority of threats.

 

Read Full Article

 

By: (ISACA Cybersecurity Fundamentals, CompTIA A+, Security+)

Publication: Colorado Banker , March/April 2017

 

Colorado Bank Mar/Apr 2017Floods. Hurricanes. Tornadoes. Fire. Power outages. The zombie apocalypse (well, maybe not that one). You don’t have to be in banking to know these threats exist in our world. Although they may not have an exhaustive, board approved Business Continuity Plan ready to go in an emergency, the average person has some awareness that disasters occur and an instinct on what to do:

“The hurricane is projected to make landfall – shutter the windows and head to aunt Martha’s.”

“There’s been a fire – call 911, get out of the building, stop, drop, and roll.”

Elementary, right? What about this one:

Read Full Article